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The Information Commissioner’s response to the public consultation 
from the Department for Business, Energy and Industrial Strategy 

(BEIS) entitled Domestic energy retail consultation: opt-in switching and 
testing opt-out switching 


About the ICO 


1. 


The Information Commissioner's Office (ICO) welcomes the opportunity to 
respond to the BEIS consultation Domestic energy retail consultation: opt-in 
switching and testing opt-out switching. 


The ICO has responsibility for promoting and enforcing data protection and 
information rights. This includes responsibilities under the UK General Data 
Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the 
Freedom of Information Act 2000 (FOIA), the Environmental Information 
Regulations 2004 (EIR) and the Privacy and Electronic Communications 
Regulations 2003 (PECR). The ICO is independent from government and 
upholds information rights in the public interest, promoting openness by public 
bodies and data privacy for individuals. The ICO provides guidance and support 
to individuals and organisations, aimed at helping organisations to comply, and 
it takes appropriate action when needed 


Summary 


3. 


BEIS proposes new primary legislation which will require energy suppliers to 
share consumers’ personal data and other information with a delivery body and 
potential new suppliers for the purposes of creating personalised offers of 
alternative energy tariffs for consumers. These proposals aim to boost 
competition in the energy market by helping consumers to switch to more 
competitive deals. The main part of the scheme gives consumers the ability to 
‘opt-in’ to switching once they have received details of a better tariff. BEIS also 
intends to test switching in some situations that will take place unless the 
consumer actively exercises their right to ‘opt-out’. 


Public trust is vital to the effective use of personal data. Responsible, safe and 
trusted data sharing and data use can deliver economic and wider public 
benefits. Data protection legislation and PECR provide important checks and 
balances while also supporting business success and the delivery of services to 
consumers. In principle, the ICO welcomes the responsible use of personal 
data to support an active, competitive energy market and to help consumers 
benefit from cheaper energy costs. 


BEIS will need to be satisfied of the necessity and proportionality of the 
processing of consumers’ personal data. These proposals will therefore need to 
be kept under review, particularly given the rapidly changing nature of the 
energy providers and market. 
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7. 


10. 


BEIS is seeking views on a range of potential options, and we have therefore 
not sought to provide exhaustive comment, instead highlighting some general 
principles engaged by these proposals including the potential impact on 
individuals who have rights to data protection under UK GDPR, whom we refer 
to as consumers in this response. BEIS has already engaged with the ICO and 
we welcome continuing engagement as the policy develops, both in relation to 
any primary or secondary legislation that might be proposed, and in any 
implementation phase. 


‘Opt-in’ switching 


A data protection impact assessment (DPIA) is a helpful tool in adopting a 
privacy by design and default approach as required under Article 25 UK GDPR. 
Data controllers must undertake a DPIA where the processing of personal data 
is likely to result in a high risk to individuals.t More generally, the process of 
preparing a DPIA assists controllers in identifying and minimising risk and in 
formulating suitable mitigating steps. A thoroughly considered DPIA is likely to 
address many of the issues we refer to in this response. 


We understand from our current engagement with BEIS that work is ongoing 
on a DPIA and we look forward to understanding BEIS’ settled view of the risks 
arising and the mitigations it proposes. As part of its DPIA and in consultation 
with its data protection officer, BEIS will need to give detailed consideration to 
the personal data in scope. It will be essential to map out the anticipated data 
flows to clarify how the data will be processed and when data sharing takes 
place (and who with), as well as clarifying matters such as the controllership of 
personal data throughout its journey, and assessing the potential impact on 
the individual. The ICO’s guidance on data protection? and our detailed data 
sharing code of practice? that now has statutory force, will be of assistance in 
this respect. 


The personal data to be processed needs to be adequate for the purpose but 
limited to what is necessary. Overall, the processing should be necessary and 
proportionate, and it must also be fair. In this respect, BEIS will need to take 
account of consumer expectations, and be sure that it has considered and 

documented in its DPIA the range of options it has considered to ensure that 
its policy objectives are ultimately achieved in the most privacy-friendly way. 


In particular, although the consultation refers to ‘opt-in’ switching and the 
testing of ‘opt-out’ switching, the data sharing proposed works on an ‘opt-out’ 
basis in both cases. This presents challenges in implementation for both parts 
of the scheme to ensure that there is adequate transparency and the 


1See Data protection impact assessments | ICO 
2 Guide to the UK General Data Protection Regulation (UK GDPR) | ICO 
3 Data sharing information hub | ICO 
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15. 


avoidance of miscommunication. We welcome further clarity about how BEIS 
proposes to address this. 


In considering BEIS’ approach to less privacy-intrusive options, we would also 
welcome understanding whether suitable alternative tariffs can be generated 
from non-personal information, perhaps including energy usage and details of 
an existing tariff. If this is feasible, it may mean that there is no need to 
process personal data until a consumer elects to opt-in to switching, or it 
might reduce the amount of personal data required. This would be particularly 
relevant in a scenario where there is no better tariff available and such 
consumers are not stated to be a priority for switching. 


BEIS has yet to decide who will send the prompt to switch. It has highlighted 
possible problems in incumbent suppliers doing so, including their potential 
difficulty in calculating the cheapest market offering. We await BEIS’ 
conclusions on this point, but would underline that if incumbent suppliers issue 
the prompt, consumers’ personal data need not be shared until and unless 
they engage with the switching process. This would be less intrusive and would 
give them greater control over their own personal data. 


We also look forward to hearing more about the personal data that will be 
required to identify the individual cohorts of consumers for ‘opt-in’ switching. 
Use of objective criteria, such as the length of time that a consumer has been 
on a default tariff, is likely to be more privacy-friendly, ensuring that excessive 
personal data is not required for this purpose. If suppliers select consumers for 
switching, then careful attention will be needed to restrict the data sharing to 
what is actually required, under the data protection principle of minimisation. 
The requirements and safeguards of UK GDPR will still apply to personal data 
that has been processed using personal identifiers or other pseudonymisation 
methods, but using such methods might help to mitigate some of the risks in 
processing. 


Care will also be needed to identify circumstances where there may be profiling 
or automated decision-making and the steps that will be taken to ensure the 
appropriate safeguards are in place under Article 22 UK GDPR, including 
ensuring that this information is brought to the attention of consumers. These 
matters will need to be included in the DPIA. 


Lawful basis 

BEIS should consider all available lawful bases for processing in their DPIA. To 
date, BEIS has suggested that suppliers might rely on legal obligation as the 
lawful basis for processing under Article 6(1)(c) UK GDPR, relying on new 
statutory provisions requiring them to share personal data with a delivery 
body. Under UK GDPR, consumers would then have no right to object to the 
processing, no right of erasure of their personal data, and no right to data 
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portability. BEIS will therefore need to consider the potential risks this will 
create and the impact on individuals. 


BEIS will also need to consider in more detail how the lawful basis for 
processing will link in with the suggested ‘opt-out’ from data sharing. Given 
the nature of the scheme, we assume that any new legislation will allow 
individuals to opt-out at any time and that it will be easy to do this, free of 
charge. This would require mechanisms to deal with situations where 
consumers ‘opt-out’ after the deadline and after their data has been shared 
with the delivery body. There should be a clear process to facilitate this, 
including processes for the deletion of any data shared. However, consumers 
also need to understand whether they can be included in proposals for future 
data sharing and switching, and the process to facilitate that. The rationale for 
BEIS’ conclusions on these matters will need to be set out in its DPIA. 


Special category data and vulnerable individuals 


17. 


18. 


19. 


Processing the personal data of consumers with communication needs is likely 
to involve special category data and will require an additional condition for 
processing under Article 9 UK GDPR, as referred to in the consultation. The 
consultation refers to existing processes between third party intermediaries 
and suppliers to identify consumers who are eligible for the Priority Services 
Register (PSR), which could also include special category data. It will be 
important to ensure that all special category data is identified and processed in 
accordance with data protection legislation and is addressed in a DPIA. 


The consultation suggests that identifying consumers for the PSR might be 
included as part of the role of the delivery body. If this is the case, 
consideration needs to be given to the sources of this information and the 
nature of any additional data sharing that might arise as a result. In the same 
way, BEIS will need to clarify the nature of the data sharing required to ensure 
that those who already receive Warm Homes Discount continue to do so. 


The consultation does not discuss how suppliers and the delivery body will 
satisfy themselves of the identity of the consumer. Processes will also be 
required to address situations where individuals act on behalf of others, 
especially in the situations of carers or others who manage an individual’s bills, 
but without any formal authorisation in place. Furthermore, some people may 
become unwell during the switching process. Mechanisms will need to be 
developed to address such issues. 


Transparency and communications with the consumer 


20. 


Transparency and fairness are vital aspects of UK GDPR, which engender public 
trust, and support initiatives that can help consumers, so these proposals need 
to ensure that individuals clearly understand their options about the sharing of 
their personal data, in addition to their choices for switching. This is 

particularly important as the term ‘opt-in’ in this consultation refers only to the 
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switching and not to the sharing of personal data, which operates on an ‘opt- 
out’ basis in relation to both parts of the proposal. Individuals will therefore 
need a meaningful opportunity to ‘opt-out’ of the data sharing, with a 
proportionate timeframe for a response that takes into account the lengthy 
period that they have disengaged. These messages need to be clear about who 
has sent them and the reasons for the communication, and consumers will 
need to know if they can change their mind. 


The consultation suggests that consumers might receive several prompts to 
engage, but this needs to be carefully balanced. Clear parameters should be 
set about the amount of contact the consumer can expect, including 
safeguards to ensure that communications do not become excessive or a 
nuisance, either at the time of data sharing or switching, or later on. 


BEIS will need to consider fairness when considering how individuals can 
exercise their ability to ‘opt-out’, for example by providing a freepost address 
or freephone number, to ensure that the ‘opt-out’ from data sharing is 
available to everyone, including those who are digitally excluded. 


When considering the nature of communications with consumers, BEIS will 
particularly need to take account of the requirements of the Privacy and 
Electronic Communications Regulations (PECR). These regulations mean that 
organisations often need an individual’s specific consent to send them 
unsolicited direct marketing on the telephone or by electronic means. Under 
Article 21 UK GDPR, an individual also has a right to object to the processing of 
their personal data for direct marketing purposes. These provisions would 
apply, even if a delivery body were to send marketing information to 
consumers about other suppliers or the services of third parties. 


Terminology and tone, in communications to individuals, and particularly 
ensuring factual and neutral language, will therefore need to be carefully 
considered, especially when explaining the nature of potential options for 
switching. For example, any words or phrases that might suggest that an 
individual is being offered an exclusive deal, or is under pressure to respond, 
are likely to amount to marketing which will restrict the circumstances in which 
it might be lawfully sent to them, or mean that that they can object to 
receiving it. 


We therefore welcome further engagement on the detail of these proposals, so 
we can understand how BEIS will meet the principles of transparency and 
fairness, especially in the planned communications with consumers. 


Delivery body 


26. 


The data protection implications arising from processing will depend on the 
delivery body selected, and the personal data that it will process. Safeguards 
will be needed to ensure that the delivery body only processes personal data 
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for the purposes of the switching scheme, as explained to the individual, and 
data sharing agreements will need to set out the arrangements data sharing 
participants, as recommended in the ICO’s data sharing code. 


Sharing personal data across a range of delivery bodies, rather than a single 
entity, is likely to increase the risks of processing, and the necessity and 
proportionality of such an approach will need particular consideration, if 
adopted. In particular, additional mitigating measures, especially to ensure 
that the data protection principles of data minimisation and data security are 
adhered to, are likely to be required. 


Clarity is also needed about what will happen to consumers’ personal data 
once it has been shared with the delivery body. This will include the possibility 
of any follow up engagement after the initial prompt and/or switch, including 
situations where an individual might be invited to switch again or when a new 
tariff runs out. We would expect that individuals would have a further opt-out 
so that they could choose not to receive notifications in future. Data shared 
initially is likely to be insufficient or potentially inaccurate for such purposes 
which raises important questions about the retention and deletion of the 
personal data that will need to be fleshed out in a DPIA. 


Testing of opt-out switching 


29: 


30. 


31. 


32. 


In principle, one of the aims of data protection legislation is to put people in 
more control of their own personal data. At present, there are limited 
circumstances where a supplier can switch a consumer to another energy 
provider without their consent. 


While BEIS does not want to interfere with the ability of energy companies to 
select their own pricing structures, the proposed interventions, especially in 
the ‘opt-out’ testing could impact on consumers’ autonomy and data rights, as 
well as their contractual commitments and personal finances. 


Many consumers are likely to welcome lower bills, but some of those identified 
for switching in either part of this scheme could be worried or suspicious about 
the prompts to switch that they might receive. In the ‘opt-out’ testing, 
appropriate attention to transparency and fairness will therefore be even more 
crucial to ensure that the opportunity to ‘opt-out’ is meaningful, and that 
consumers understand how their data will be used, as well as understanding 
the switching process. This is especially the case as the data sharing and the 
switching will otherwise take place without consumers’ consent. 


In this respect, the consultation acknowledges that price is not the only driver 
for apparent disengagement, and this might apply to consumers for ‘opt-in’ 
scheme or those in scope for ‘opt-out’ testing. We particularly welcome 
understanding more about the safeguards that BEIS intends to implement 
around the process of the ‘opt-out’, and particularly the risk that a consumer 
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who is content to switch in principle, may nonetheless have objections to 
specific energy suppliers on the basis of factors other than price, for example, 
because of previous poor service or their approach to environmental issues. 


Switching under this part of the scheme will mean the termination of 
consumers’ existing energy contracts and the creation of new ones, which will 
affect the payments they have to make and to whom. Appropriate 
transparency measures need to ensure that consumers fully understand the 
process, and will recognise new demands for payments, thus avoiding the risk 
of falling into debt or increased debt through disengagement. 


The finalised form of these proposals will need to clarify the extent of any 
additional data sharing with organisations such as banks and financial 
institutions. In all cases, strong safeguards will be needed to ensure that 
consumers’ personal data is kept securely and is not used for unauthorised 
purposes. BEIS will also need to consider whether any specific details of the 
proposals might give rise to additional risk, for example, the potential for fraud 
which might arise if new, pre-populated direct debit documentation were to be 
intercepted. 


Assessment of the potential risks arising from the processing will need to 
include additional incidental adverse impacts on consumers arising from the 
data sharing and subsequent switching, including for those already in debt or 
with credit balances. For example, any credit checks that might be required as 
part of the switching under the ‘opt-out’ proposal could have important 
consequences for individuals, affecting their credit score. 


We note the plans for ‘reverse switching’ to allow consumers to revert to their 
previous supplier, if they object after the switching has already taken place. 
However, viewed in the round, BEIS needs to consider the necessity and 
proportionality of sharing consumers’ personal data so widely without the 
active participation of the consumer in the first place. We therefore welcome 
further engagement with BEIS so that we might understand more about their 
approach and the safeguards that they intend to implement. 
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